On Thu, Jan 18, 2007 at 07:41:07AM -0500, Seth Hanford wrote: > I've been VERY pleased with spamd performance on my system. My mail > volume is so low (~300 msgs/day) that I may consider removing > SpamAssassin, because spamd catches just about everything. I've gone > from about 80 spam messages caught by SA to less than 2 caught, per day. > Users are also reporting few to NO spam making it past the filters.
If you already have SA in place then I'd advise you to leave it there. It's costing you very little now, with spamd taking the load off. There *are* spammers out there who are using "normal" mail servers, either their own, open relays, or trojaned boxes. So you will see spurts of spam come past spamd from time to time, and SA helps. > However, I also have controls in place on my Postfix installation to > prevent delivery of messages to non-existent accounts. The weird thing > is, for about the last month or so, I've been catching just about 100% > spam BEFORE it gets to SpamAssassin. However, Postfix has been catching > between 5 and 20 messages per day that have a null sender address. > > So I have two main questions at this point: > 1) Does it make sense to have spamd discard malformed sender / recipient > addresses? In this case, there is no envelope sender address at all, > which I seem to recall violates an RFC I have often though about this. It's a statistical solution, since there are some "legit" servers out there sending with <> as sender. Mostly it's spammers, but mostly they get caught by spamd anyway. > 2) Spamd was seemingly targeted by this spammer. However, to date there > hasn't been a big influx of spam to my site. It almost seems like a > surgical strike to get IP addresses added to my spamdb whitelist, until > the "second wave" of overwhelming junk can come through. > > Only one message came in, and obviously it wasn't too important to the > spammer to get anyone to read it, so it almost seems like a decoy. What > additional information should I look for to keep this from happening in > the future? > > If this is a weakness of spamd, I'm perfectly happy to rely on a second > or third layer to handle spam removal -- I have Postfix and SA in place > to do just that. But since spamd is the "cheapest" solution, I prefer to > do as much there as I can. :) I wouldn't call it a weakness. Spamd does what it does, and has a tremendous effect. There are many things that it doesn't do, and for good reason. Not to say that tweaks and features won't be added in the future, but spamd needs to remain very lightweight and focused. There are things you can do behind spamd to help. In addition to spamd and SA, I use relaydb. Relaydb is cool. If something gets through spamd and gets flagged as spam by SA, I send it to relaydb (from procmail) which extracts the IP and adds it to a database. This can be used in spamd.conf as a blacklist (it's even in there already, commented out). -- Darrin Chandler | Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |
